The most obvious way to fix the vulnerability is to update to the latest version of OpenSSL, but that is not enough in light of the fact that the flaw would have enabled attackers to steal encryption keys.

This means sites could still be vulnerable unless they revoke their security certificates and issue new ones because the encryption keys could have been stolen at any time in the past two years.

Although researchers reported the bug in April 2014 after OpenSSL was patched, the vulnerability was introduced through a coding error in December 2011.

Attackers who retrieved private keys from a server while it was still vulnerable would be able to impersonate the server by creating their own valid SSL certificate.

An attacker could still do this after the affected website has upgraded to the latest version of OpenSSL and deployed a new SSL certificate with different keys.

“Unless the previous certificate is revoked, the site will still be vulnerable to man-in-the-middle attacks,” internet security firm Netcraft warned in blog post.

But with around 500,000 sites believed to have been using vulnerable versions of OpenSSL, the process of revoking and reissuing security certificates could slow browsing experiences dramatically.

When browsers visit a secure site they download a list of revoked certificates, which has relatively little impact because this list is usually short.

But with hundreds of thousands of sites potentially updating their certificates in the coming weeks, browsers could be faced with extremely long lists to download, potentially slowing browsing to a crawl.

According to Netcraft, if a certificate authority has to revoke 10,000 certificates, the revocation list will have 10,000 certificates on it, resulting in a download that is hundreds of megabytes.

The most critical websites belonging to banks and governments were not vulnerable to the Heartbleed bug and most of the prominent ones that were affected have completed the process.

But so far only 80,000 certificates have been revoked, said Netcraft, which means there are about 420,000 still to go.

Certificate revocation has always been a bottleneck since SSL was invented, according to Mark Manulis, a senior lecturer at the University of Surrey's computing department.

If Heartbleed leads to large-scale revocations, that could cause problems, he told the BBC, as not all browsers downloaded lists and there are potentially hundreds of certification authorities to contact.

"Each browser would have to contact each of those authorities and download the lists because those lists are not shared," said Manulis.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.